Are there any risks if we enable our workflow 2013 to run on elevated privileges (to use app permissions)

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/251626

Question

I am working on a SharePoint online site collection. We have a list which can only be viewed by certain users. But inside our workflow we want to be able to add items in this list and to be able to do this, I need to run the workflow on elevated privileges. So I followed the steps mentioned on this link https://blog.devoworx.net/2016/01/31/unauthorized-http-workflow-how-to-create-a-workflow-with-elevated-permissions-by-using-the-sharepoint-2013-workflow/, which are:

  1. Enable the "Activate Workflows can use app permissions" feature.

  2. I copied the app id from "Site Settings >Below Users and Permissions > Click on Site App Permissions".

  3. Then I navigated to http://hostname/_layouts/15/appinv.aspx.

  4. I pasted the app id, clicked on lookup >> I got the app details.

  5. Then inside the "APP Permissions Request XML", I typed the following:

  1. I created a workflow and added my actions inside "App Step", as follow:

enter image description here

and my workflow was able to add items under the restricted list.

But I am not sure if allowing the workflow to run on elevated privileges (enable it to use app permissions), can pose a security hole inside our sites?

For example: Can non-admin users benefit from this ability to perform actions they aren't authorized to do? or the steps I followed are fine from a security point of view?

Was it helpful?

Solution

Allowing the workflow to run on elevated privileges (enable it to use app permissions), doesn't pose any security holes in SharePoint.

Following are the points you should know before using the App step in workflow:

  1. The one drawback of using an Impersonation Step is that the workflow could suddenly stop working if anything were to happen to the user account that created and published the workflow.

  2. The purpose of the Impersonation Step is to run any actions inside this step as the user who authored the workflow. If the account that creates and publishes the workflow is edited in some way, possibly with a permission change on the site or a password change, then you have a broken workflow!

  3. I know App Step provides facility to run SharePoint Designer activity under Service Account user. But by enabling the app step, you can see that user who does not have permission on sub-site, can perform any operations(even deletion) on the sub-site by creating the SharePoint Designer workflow on the root web once the workflow app identifier is configured.

  4. Users with "design" and "full control" permission on site can create designer workflows and use the app step inside their workflow. So manage the permissions on site accordingly.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top